AXSA:2021-1510:01

Release date: 
Friday, February 19, 2021 - 11:51
Subject: 
nodejs:14 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.15.4).

Security Fix(es):

* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)

* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* yarn install crashes with nodejs:14 on aarch64.

CVE-2020-15366
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
CVE-2020-7754
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-7774
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8265
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8277
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
CVE-2020-8287
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Modularity name: nodejs
Stream name: 14

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.3-1.module+el8+1187+a52be6cc.src.rpm
    MD5: a23860a2e24f2fa04bbcecbb3a376033
    SHA-256: d19e4d83a9382684fd65c567015423723902863e045fc190d2532b66cf788a3b
    Size: 1.15 MB
  2. nodejs-packaging-23-3.module+el8+1187+a52be6cc.src.rpm
    MD5: 387f36b9d2845017bf5d79f15e59ec24
    SHA-256: dbbe29dce1c18b3f83a921be6a0a972d1caa263431daaf7e03e2f711a02d24d5
    Size: 26.56 kB
  3. nodejs-14.15.4-2.module+el8+1187+a52be6cc.src.rpm
    MD5: 36681ca3366bbfc2a1a9abe7d037a535
    SHA-256: 5dbc10c1c2624aeb1fb02cd19a0ca64d13163a6e8ec2e7d8625e3d009688f0ed
    Size: 65.30 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1187+a52be6cc.noarch.rpm
    MD5: 639ad3638a2c23ac5a7b0463547a36a3
    SHA-256: 34d7b03fe516de32a827f1ef3add4f2fe958f03eceb771ed7fa88cb59aa218a7
    Size: 806.99 kB
  2. nodejs-packaging-23-3.module+el8+1187+a52be6cc.noarch.rpm
    MD5: a2c18743efcbe45bcce2c4639111bec7
    SHA-256: 9dd81257e2e75f35e2a37096194cd73943eefdc03cbc522142a2400a4214c78f
    Size: 23.02 kB
  3. nodejs-14.15.4-2.module+el8+1187+a52be6cc.x86_64.rpm
    MD5: 096a0cbb20a72893641203068cfb39c7
    SHA-256: df01152048847db22b4b4e4580dfa7bb9a2ae4b5be44669f84098bb2af01776f
    Size: 10.61 MB
  4. nodejs-debugsource-14.15.4-2.module+el8+1187+a52be6cc.x86_64.rpm
    MD5: 3c44fdd0d9a523f955ba36c91fb815d7
    SHA-256: e8967ac8dd4ca7cac093cb355e1293d283afc640d3a62435369e946a71ecc990
    Size: 10.77 MB
  5. nodejs-devel-14.15.4-2.module+el8+1187+a52be6cc.x86_64.rpm
    MD5: 42628b5e8938388da9d9f07d73c0d310
    SHA-256: 070afd217599606c302177f462b133f0b017b39ee9d041ae3557dcc41d2ddb44
    Size: 199.99 kB
  6. nodejs-docs-14.15.4-2.module+el8+1187+a52be6cc.noarch.rpm
    MD5: bd31db3984fcdd98a3d09feef1cc3525
    SHA-256: 062a0462d3371e088541b4026d20e07f73cace13d6859af451fb5a62149ff4ca
    Size: 7.92 MB
  7. nodejs-full-i18n-14.15.4-2.module+el8+1187+a52be6cc.x86_64.rpm
    MD5: 7b46721088b923da601820c759c3f634
    SHA-256: c1008e9a6014f953fa3fd9ce9d4fb2de0d4496412d7fdbf3a940470da8966fc8
    Size: 7.49 MB
  8. npm-6.14.10-1.14.15.4.2.module+el8+1187+a52be6cc.x86_64.rpm
    MD5: e9c01c43ce6570280174c3556f457275
    SHA-256: ab2aa2e48e62d9b17aacc471c618f3352246ba2537a9fb930d5c948a307f31f8
    Size: 3.67 MB
Copyright© 2007-2015 Asianux. All rights reserved.